@tanakayuto/intmax402-core 0.1.2 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/nonce.d.ts +1 -0
- package/dist/nonce.js +7 -1
- package/dist/parse.js +10 -0
- package/package.json +7 -7
package/dist/nonce.d.ts
CHANGED
|
@@ -5,5 +5,6 @@
|
|
|
5
5
|
export declare function generateNonce(secret: string, ip: string, path: string, bindIp?: boolean): string;
|
|
6
6
|
/**
|
|
7
7
|
* Verify a nonce. Checks current and previous window for clock skew tolerance.
|
|
8
|
+
* Uses timingSafeEqual to prevent timing attacks.
|
|
8
9
|
*/
|
|
9
10
|
export declare function verifyNonce(nonce: string, secret: string, ip: string, path: string, bindIp?: boolean): boolean;
|
package/dist/nonce.js
CHANGED
|
@@ -21,6 +21,7 @@ function generateNonce(secret, ip, path, bindIp = false // ← false = AIエー
|
|
|
21
21
|
}
|
|
22
22
|
/**
|
|
23
23
|
* Verify a nonce. Checks current and previous window for clock skew tolerance.
|
|
24
|
+
* Uses timingSafeEqual to prevent timing attacks.
|
|
24
25
|
*/
|
|
25
26
|
function verifyNonce(nonce, secret, ip, path, bindIp = false) {
|
|
26
27
|
const window = getTimeWindow();
|
|
@@ -30,8 +31,13 @@ function verifyNonce(nonce, secret, ip, path, bindIp = false) {
|
|
|
30
31
|
? `${w}:${ip}:${path}`
|
|
31
32
|
: `${w}:${path}`;
|
|
32
33
|
const expected = (0, crypto_1.createHmac)("sha256", secret).update(data).digest("hex");
|
|
33
|
-
|
|
34
|
+
// Fix 4: Use timingSafeEqual to prevent timing attacks
|
|
35
|
+
// Both expected and nonce must be valid hex strings of the same length
|
|
36
|
+
if (expected.length === nonce.length &&
|
|
37
|
+
/^[0-9a-f]+$/i.test(nonce) &&
|
|
38
|
+
(0, crypto_1.timingSafeEqual)(Buffer.from(expected, "hex"), Buffer.from(nonce, "hex"))) {
|
|
34
39
|
return true;
|
|
40
|
+
}
|
|
35
41
|
}
|
|
36
42
|
return false;
|
|
37
43
|
}
|
package/dist/parse.js
CHANGED
|
@@ -36,6 +36,16 @@ function parseAuthorization(header) {
|
|
|
36
36
|
}
|
|
37
37
|
if (!result.address || !result.nonce || !result.signature)
|
|
38
38
|
return null;
|
|
39
|
+
// Fix 6: Input length validation to prevent malformed/oversized inputs
|
|
40
|
+
// address: 42 chars (0x + 40 hex), nonce: 64 chars (sha256 hex), signature: 132 chars (0x + 130 hex)
|
|
41
|
+
if (result.address.length !== 42)
|
|
42
|
+
return null;
|
|
43
|
+
if (result.nonce.length !== 64)
|
|
44
|
+
return null;
|
|
45
|
+
if (result.signature.length !== 132)
|
|
46
|
+
return null;
|
|
47
|
+
if (result.txHash && result.txHash.length > 128)
|
|
48
|
+
return null;
|
|
39
49
|
return {
|
|
40
50
|
address: result.address,
|
|
41
51
|
nonce: result.nonce,
|
package/package.json
CHANGED
|
@@ -1,8 +1,13 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@tanakayuto/intmax402-core",
|
|
3
|
-
"version": "0.1
|
|
3
|
+
"version": "0.2.1",
|
|
4
4
|
"main": "dist/index.js",
|
|
5
5
|
"types": "dist/index.d.ts",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"build": "tsc",
|
|
8
|
+
"clean": "rm -rf dist",
|
|
9
|
+
"typecheck": "tsc --noEmit"
|
|
10
|
+
},
|
|
6
11
|
"dependencies": {},
|
|
7
12
|
"devDependencies": {
|
|
8
13
|
"typescript": "^5.4.0",
|
|
@@ -28,10 +33,5 @@
|
|
|
28
33
|
"express",
|
|
29
34
|
"web3",
|
|
30
35
|
"zk"
|
|
31
|
-
]
|
|
32
|
-
"scripts": {
|
|
33
|
-
"build": "tsc",
|
|
34
|
-
"clean": "rm -rf dist",
|
|
35
|
-
"typecheck": "tsc --noEmit"
|
|
36
|
-
}
|
|
36
|
+
]
|
|
37
37
|
}
|